Target’s Father’s Day Weekend Nightmare

On June 15, 2019, the day before Father’s Day, social media
was inundated with photos of long lines of red carts as Target customers were
unable to check out. A crash of Target’s POS system left Target unable to
use their cash registers. The outage caused hundreds of thousands of Target
shoppers nationwide to abandon their shopping carts filled with last-minute
Father’s Day gifts and head elsewhere. The outage was only partially fixed by
the morning of Father’s Day, leaving Target still unable to accept credit
cards. In a world dominated by plastic transactions and tap & go
transactions, this outage must have been financially devastating for Target.

Imagine if your own business could not accept credit cards
for two business days. While there has been no official word from Target as of
Monday, June 17, about what might have happened to the credit card processing
component of their POS system, it seems like a good time to review PCI
Compliance rules to make sure you are protected from a major breach. If Target
can have POS failures and credit card data breaches, you can bet it can happen
to you.

Looking into the recent past, 5 million Saks
Fifth Avenue customers had their personal data stolen. That pales in
comparison to the 40 million cards that were hacked from Target
in 2013 and the 56 million Home Depot
customers that had their account information compromised in a breach of its POS
system. Do you know how your card data is stored and what your vulnerability
is? More importantly, do you know what your liability is if you get hacked and
how much it could potentially cost you out-of-pocket?

PCI DSS is the Payment Card Industry Data Security
Standards, the standards that merchants who transact business by credit or
debit card must abide by. It was jointly created by Visa, MasterCard, Discover,
and American Express in 2004 to prevent data breaches. The most recent version
is PCI DSS 3.2., and it was introduced in April 2016. The same rules are
relevant to all merchants, regardless of revenue and credit card transaction
volumes.

There are 12 requirements outlined in PCI DSS 3.2, but merchants
must comply with a total of 251 sub-requirements across the 12 requirements.
These standards apply to all merchants that deal with cardholder data.
Cardholder data refers specifically to the credit card number, along with cardholder
name, expiration date, and security code (CSC). The compliance mandates are so
strict and so technical that it can be extremely confusing to most people. The
good news is, if you are using third-party software as your POS system, you are
likely in compliance through the efforts of your software vendor. If you
process credit cards through your software, your software vendor likely stores
the credit cards in their system and not anywhere in your system. It’s worth
asking your software vendor to be sure.

The 12 Step PCI Compliance Checklist:

Safeguard
cardholder data by implementing and maintaining a firewall.

Create
custom passwords and other unique security measures rather than using the
default setting from your vendor-supplied systems.

Safeguard
stored cardholder data.

Encrypt
cardholder data that is transmitted across open, public networks.

Network
resources and cardholder data access needs to be logged and reported.

Run
frequent security systems and processes tests.

Address
information security throughout your business by creating a policy.

While software solutions such as Clover, FastTrak, Square or
ShopKeep generally take care of the vast majority of the steps toward eCommerce
PCI compliance for their merchants, you will still need to implement policies
that prohibit your employees from writing down credit card information and storing
it anywhere in your business or committing other violations of standards.
Merchants that fail to comply with PCI DSS and get hacked may be subject to
fines, card replacement costs, and costly forensic audits. The credit card
companies, at their discretion, are the ones who administer fines to the
merchant’s bank (known as the acquiring bank), and they can range between
$5,000 – $100,000 for PCI compliance violations or breaches. The acquiring bank
passes the fine to the merchant.

On top of those fines, merchants may be subject to
additional penalties from their bank as well. Banks and credit card processors
may terminate their relationship with the merchant altogether, or simply
increase the per-transaction processing fees and require the merchant to pay
for the replacement of the credit cards that have been compromised in the
breach. Penalties are not openly discussed nor widely publicized, but they can
be catastrophic to a business. It is important to be familiar with your credit
card merchant account agreement(s), which should fully outline your exposure.

For less than what you would pay for a single steak dinner,
you can purchase a Data Protection Plan from your credit card processor that
would protect you in the event you missed one of the 263 rules you are expected
to know and follow. If you would like more information about data protection or
credit card processing in general, please contact Chosen Payments at
855-4CHOSEN.

New survey reveals that many consumers would never shop or do business again with a company that had experienced a data breach where financial data (credit card information, bank account number, or associated login details) was stolen.